Bug 658223 – Segfault when adding a comma to the expression from another sheet

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 658223 - Segfault when adding a comma to the expression from another sheet


Summary:	Segfault when adding a comma to the expression from another sheet


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	GUI Expression Entry Widget
Version:	1.10.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Jon Kåre Hellan
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2011-09-05 07:14 UTC by Peter
Modified:	2011-09-06 14:44 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Peter 2011-09-05 07:14:09 UTC

Tested using both 1.10.15 and 1.10.16

Steps to reproduce:

1) Insert a chart in sheet 1. (I used pie)
2) Go to the data series, press the select button and go to sheet 2.
3) Press one cell (it should appear in the expression line)
4) Enter a comma after the last cell in the expression line

Result:

A delay and then segfault.


Basically, it's impossible to select non-sequential ranges of cells from other sheets using the GUI. The workaround is to type the expression manually.

Comment 1 Morten Welinder 2011-09-05 16:47:18 UTC

I am unable to reproduce.

Comment 2 Andreas J. Guelzow 2011-09-05 17:14:59 UTC

I can reproduce (and so can Jean). It is essential to go to a second sheet.

Comment 3 Jean Bréfort 2011-09-05 20:00:17 UTC

I can reproduce, but not always.

Seems something loops indefinitely. Running in gdb with G_DEBUG="fatal_criticals" gives:

GLib-GObject-CRITICAL **: g_closure_ref: assertion `closure->ref_count < CLOSURE_MAX_REF_COUNT' failed
aborting...

Program received signal SIGABRT, Aborted.
0x00007ffff3c87405 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt

+ Trace 228341

#0 raise
from /lib/x86_64-linux-gnu/libc.so.6
#1 abort
from /lib/x86_64-linux-gnu/libc.so.6
#2 g_logv
from /lib/libglib-2.0.so.0
#3 g_log
from /lib/libglib-2.0.so.0
#4 g_closure_ref
from /usr/lib/libgobject-2.0.so.0
#5 g_closure_invoke
from /usr/lib/libgobject-2.0.so.0
#6 ??
from /usr/lib/libgobject-2.0.so.0
#7 g_signal_emit_valist
from /usr/lib/libgobject-2.0.so.0
#8 g_signal_emit
from /usr/lib/libgobject-2.0.so.0
#9 scg_rangesel_changed
at sheet-control-gui.c line 3246
#10 gnm_expr_entry_parse
at gnumeric-expr-entry.c line 2560
#11 cb_graph_dim_editor_update
at wbc-gtk.c line 5457
#12 cb_graph_dim_editor_update
at wbc-gtk.c line 5426
#13 g_closure_invoke
from /usr/lib/libgobject-2.0.so.0
#14 ??
from /usr/lib/libgobject-2.0.so.0

Comment 4 Andreas J. Guelzow 2011-09-06 02:17:22 UTC

I first observe a long delay, then a large number of
(/home/aguelzow/gnumeric/bin/gnumeric:9511): GLib-GObject-CRITICAL **: g_closure_ref: assertion `closure->ref_count < CLOSURE_MAX_REF_COUNT' failed


and finally a crash:

+ Trace 228347

#0 ??
from /usr/lib/i386-linux-gnu/libgthread-2.0.so.0
#1 g_slice_alloc
from /lib/i386-linux-gnu/libglib-2.0.so.0
#2 g_string_sized_new
from /lib/i386-linux-gnu/libglib-2.0.so.0
#3 g_string_new
from /lib/i386-linux-gnu/libglib-2.0.so.0
#4 g_utf8_casefold
from /lib/i386-linux-gnu/libglib-2.0.so.0
#5 workbook_sheet_by_name
at workbook.c line 785
#6 sheetref_parse
at parse-util.c line 969
#7 rangeref_parse
at parse-util.c line 1081
#8 yylex
at parser.y line 1180
#9 gnm_expr_lex_all
at parser.y line 1688
#10 gee_update_lexer_items
at gnumeric-expr-entry.c line 958
#11 cb_entry_changed
at gnumeric-expr-entry.c line 1181

Comment 5 Andreas J. Guelzow 2011-09-06 02:20:36 UTC

My backtrace on the first log message is:

+ Trace 228348

#0 g_log
from /lib/i386-linux-gnu/libglib-2.0.so.0
#1 g_return_if_fail_warning
from /lib/i386-linux-gnu/libglib-2.0.so.0
#2 g_closure_ref
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#3 g_closure_invoke
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#4 ??
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#5 g_signal_emit_valist
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#6 g_signal_emit
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#7 gnm_expr_entry_thaw
at gnumeric-expr-entry.c line 2191
#8 scg_rangesel_changed
at sheet-control-gui.c line 3246
#9 gnm_expr_entry_parse
at gnumeric-expr-entry.c line 2560
#10 cb_graph_dim_editor_update
at wbc-gtk.c line 5457

Comment 6 Andreas J. Guelzow 2011-09-06 02:30:19 UTC

The signal in play in the bts of comments #3 and #5 must be the "update" signal of the gnumeric-expr-entry (due to the bt in comment #5). The only callback attached to that signal seems to be cb_graph_dim_editor_update.

Comment 7 Andreas J. Guelzow 2011-09-06 02:54:01 UTC

This trace is interesting: (created at a random break point)

+ Trace 228349

#0 sc_sheet
at sheet-control.c line 75
#1 scg_sheet
at sheet-control-gui.c line 106
#2 cb_graph_dim_editor_update
at wbc-gtk.c line 5443
#3 g_cclosure_marshal_VOID__BOOLEAN
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#4 g_closure_invoke
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#5 ??
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#6 g_signal_emit_valist
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#7 g_signal_emit
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#8 gnm_expr_entry_thaw
at gnumeric-expr-entry.c line 2191
#9 scg_rangesel_changed
at sheet-control-gui.c line 3246
#10 gnm_expr_entry_parse
at gnumeric-expr-entry.c line 2560
#11 cb_graph_dim_editor_update
at wbc-gtk.c line 5457
#12 g_cclosure_marshal_VOID__BOOLEAN
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#13 g_closure_invoke
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#14 ??
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#15 g_signal_emit_valist
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#16 g_signal_emit
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#17 gnm_expr_entry_thaw
at gnumeric-expr-entry.c line 2191
#18 scg_rangesel_changed
at sheet-control-gui.c line 3246
#19 gnm_expr_entry_parse
at gnumeric-expr-entry.c line 2560
#20 cb_graph_dim_editor_update
at wbc-gtk.c line 5457
#21 g_cclosure_marshal_VOID__BOOLEAN
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#22 g_closure_invoke
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#23 ??
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#24 g_signal_emit_valist
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#25 g_signal_emit
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#26 gnm_expr_entry_thaw
at gnumeric-expr-entry.c line 2191
#27 scg_rangesel_changed
at sheet-control-gui.c line 3246
#28 gnm_expr_entry_parse
at gnumeric-expr-entry.c line 2560
#29 cb_graph_dim_editor_update
at wbc-gtk.c line 5457
#30 g_cclosure_marshal_VOID__BOOLEAN
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#31 g_closure_invoke
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#32 ??
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#33 g_signal_emit_valist
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#34 g_signal_emit
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#35 gnm_expr_entry_thaw
at gnumeric-expr-entry.c line 2191
#36 scg_rangesel_changed
at sheet-control-gui.c line 3246
#37 gnm_expr_entry_parse
at gnumeric-expr-entry.c line 2560
#38 cb_graph_dim_editor_update
at wbc-gtk.c line 5457
#39 g_cclosure_marshal_VOID__BOOLEAN
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#40 g_closure_invoke
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#41 ??
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#42 g_signal_emit_valist
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#43 g_signal_emit
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#44 gnm_expr_entry_thaw
at gnumeric-expr-entry.c line 2191
#45 scg_rangesel_changed
at sheet-control-gui.c line 3246
#46 gnm_expr_entry_parse
at gnumeric-expr-entry.c line 2560
#47 cb_graph_dim_editor_update
at wbc-gtk.c line 5457
#48 g_cclosure_marshal_VOID__BOOLEAN
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#49 g_closure_invoke
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#50 ??
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#51 g_signal_emit_valist
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#52 g_signal_emit
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#53 gnm_expr_entry_thaw
at gnumeric-expr-entry.c line 2191
#54 scg_rangesel_changed
at sheet-control-gui.c line 3246
#55 gnm_expr_entry_parse
at gnumeric-expr-entry.c line 2560
#56 cb_graph_dim_editor_update
at wbc-gtk.c line 5457
#57 g_cclosure_marshal_VOID__BOOLEAN
from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#58 g_closure_invoke
#30188 cb_graph_dim_editor_update
#40007 cb_graph_dim_editor_update

and then I got bored...

Comment 8 Andreas J. Guelzow 2011-09-06 14:26:54 UTC

We have (in gnumeric-expr-entry.c):

	/* Reset the entry in case something changed */
	str = gnm_expr_top_as_string (texpr, pp, gee_convs (gee));
	g_printerr ("gnm_expr_entry_parse: '%s' vs '%s'\n", str, text);
	if (strcmp (str, text)) {
		SheetControlGUI *scg = wbcg_cur_scg (gee->wbcg);
		Rangesel const *rs = &gee->rangesel;
		if (gee == wbcg_get_entry_logical (gee->wbcg) &&
		    start_sel && sc_sheet (SHEET_CONTROL (scg)) == rs->ref.a.sheet) {
			scg_rangesel_bound (scg,
				rs->ref.a.col, rs->ref.a.row,
				rs->ref.b.col, rs->ref.b.row);
		} else {
			if (gee_debug)
				g_printerr ("Setting entry text: [%s]\n", str);
			gtk_entry_set_text (gee->entry, str);
		}
	}
	g_free (str);

We have str = '(Sheet2!$B$5,Sheet2!$C$8)' vs text = 'Sheet2!$B$5,Sheet2!$C$8' and end up calling scg_rangesel_bound.

This calls gnm_expr_entry_freeze/gnm_expr_entry_thaw, the latter causing an UPDATE signal to be triggered (for continuous update expression entries).

And the cycle repeats.

Comment 9 Andreas J. Guelzow 2011-09-06 14:44:38 UTC

This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.